Hello,
I would like some feedback on two issues regarding the signature for
CVE-2014-0503:
1. Why is it classified as PUA (PUA.HTML.Exploit.CVE_2014_0503) when
this is a vulnerability and the signature's name says it detects its
"exploit"? I think there's nothing "potentially" unwanted about exploits,
they're pretty much as unwanted as a virus or trojan; they can be useful
for security specialists but not for most people . Furthermore, there's no
mention of PUA.HTML in the PUA Documentation Page
<http://www.clamav.net/doc/pua.html>.
2. The signature for CVE-2014-0503 is:
PUA.HTML.Exploit.CVE_2014_0503:3:*:3c656d626564{-50}7372633d{-50}3030{-50}2e737766
which amounts to a regular expression like:
<embed.{0,50}src=.{0,50}00.{0,50}\.swf
which matches completely innocent web pages containing strings like this
one:
<embed src="somepath/somename150x100.swf"
I saw that false positives in PUA signatures are not welcome at the old
contact form (http://cgi.clamav.net/sendvirus.cgi). I reported this on
July 7 2015 through http://www.clamav.net/report/fp which has no such
restriction, with concrete examples of this problem happening in real
pages, but got no answer.
For cases like this one, in which there are a lot of false positives, there
should be some way for the clamav user to disable specific signatures
without having to disable the whole PUA collection and without having to
edit the signatures file (if that is even possible, idk).
Thanks.
LT